Android Flaw Might Also Affect iOS, Windows

Sandboxing flaw let researchers hijack Gmail 92% of the time, and could also affect iOS and Windows.

3D Mapping Data's Future: 8 Examples

(Click image for larger view and slideshow.)

Researchers at University of California Riverside and the University of Michigan have found a flaw in Android that allows apps to be hijacked and they believe the flaw can be used to attack iOS and Windows mobile apps in the same way.

The flaw involves the fact that apps share memory space despite sandboxing, the practice designed to isolate apps from one another to avoid the problems inherent with shared memory.

Though apps on mobile devices have been designed to run code in their own sandboxes, they generally rely on a common graphic interface framework called a window manager that operates in shared memory space. The window manager is responsible for rendering graphic interface elements on the user's mobile device screen.

The attack requires a malicious app to be downloaded and to be running in the background on an Android device. The malicious app is designed to be inconspicuous, with low energy overhead and minimal permissions. Its job is to monitor the window manager memory space and infer what other apps are doing.

By watching how other apps deploy graphic elements on screen, the malicious app can understand what's going on in those apps and then inject precisely timed fake interface elements, like a login screen, to intercept login credentials or otherwise dupe the user. This technique is commonly known as a man-in-the-middle attack.

The researchers tested seven Android apps -- Amazon, Chase, Gmail, H&R Block, Hotel.com, Newegg, and WebMD -- and were able to accurately infer the interface state of the target app between 82% and 92% of the time, with the exception of Amazon's app.

Although the attack worked on Gmail 92% of the time, it fared less well with the Amazon app, working only 48% of the time. The researchers attributed this to the unpredictability of Amazon's highly variable interface and to the app's extensive use of cached data, which denied data to the malicious app.

Zhiyun Qian, an associate professor at University of California Riverside, said in an email that although he and his colleagues did not evaluate gaming apps, he suspected many would not be vulnerable to the attack. "My guess is that those apps may not be affected as they may use lower-layer graphics APIs for performance reasons," he said in an email.

The attack technique can also be used to obtain sensitive image files through what the researchers call a "camera peeking attack." Certain apps store image files only in memory because the images contain sensitive data -- such as an app that lets users photograph a check and then deposit it electronically. By monitoring interface elements, the malicious app can watch for camera usage and take a photo of its own immediately afterward without the user's knowledge, thereby obtaining a nearly identical image.

The researchers propose several ways to mitigate the flaw, such as limiting access to certain proc files (which contain information about important system processes), tightening interface animation systems to prevent stealthy replacement of genuine interface elements with fake ones, and limiting the functions available to background apps so they can't, for example, secretly take pictures.

Today's endpoint strategies need to center on protecting the user, not the device. Here's how to put people first. Get the new User-Focused Security issue of Dark Reading Tech Digest today. (Free registration required.)

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

That's really the biggest issue isn't it? Any app out there has the potential to be malicious and the markets have made it easier for people to get large audiences for their apps. Look at an app like Flappy Bird, it was dirt simple yet became one of the most popular apps on the markets. People installing it after the hype hit would have clicked yes if the ToS said they had to give up a limb.

So in order for this particular exploit to work, it has to use a "malicious" app to dishcharge its payload. LOL. That only narrows it down to anything currently out there as they are all inherently malicious by design mostly in the form of privacy intrusions, transmitting any/all data back to the mothership without the user knowning about it save for the clickwrap ToS (which no one reads) upon installation.

That's not going to help. The only permission it needs is internet access. Practically every app needs internet access. So this code could be hidden inside an app that provides some genuine useful functionaility, gets a lot of great reviews because it does that job well and still be insidiously phoning in your information. That's why this app is so scary. It could be any great app that could be doing this and we would be none the wiser. The only fix for this is for Google to prevent this from happening by changing how the shared memory is being used. I don't know enough of the details on how this actually works, but from their statements, Android seems to be intentionally designed to provide this access (presumably for some useful reason). So changing this may take some doing and possibly break some other good apps.

The more granular permissions would be a good start as long as developers use them properly. My biggest issue with app security is that I see all kinds of crazy permissions requested. Like why does a game need access to my contacts? Things like that are an immediate closing of the app on the Play store.

Pedro, I partly disagree. I agree to the extent that future developers will be able to learn much from this flaw but I disagree that it will not cause harm because now many know the problems with the OS including hackers.

We've known for years that a compromised OS cannot be trusted and most even go so far as to claim it's like a horse with a broken leg. Why is it revelation when we discover that a mobile OS isn't safe when compromised by similar tactics?

While it's always good to add more layers of protection, if a malicious application managed to install itself on your device, do you still trust your device if fine-grained control makes it harder for background spy apps to steal data?

The impact is much more than mobile applications. Google is commanding an IOT strikeforce and plans to have its stronghold in the IOT industry. Such accusations against Google's products that question Google's security might be image disturbing for the company.

Amping up the security would mean nothing. Nothing is impenetrable. Not even NSA's defences against independent hackers. What could be done is maybe have all the app developers supported by Google Store have a time-generated signature (like a key) that enables them to upload the app in the android device. This signature would be generated by Google's engines and it would be one time use only. Its like Google saying "Oh so you want your customer to download your software? Please, what is the password again?"

Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps – and it's past time for those with no plans to get cracking.